Hexed Virus/Malware/Spyware/etc

[e><ius]

This concept is also called "Packing", as in, packing the executable down into a smaller size, thus changing the signature

What joo packin? "I'm packing HEAT!"

Finally there are antivirus products that use an internal "sandbox" to open and examine files in. This is actually a rather old concept.

that was what i was refering to. what does this "sandbox" consist of? a folder? a directory? an image? if i were in my sandbox, i'd eventually wanna play 4-square or kickball.

[nihil]

Yes, that is the origin of the term. A sandbox was a safe play area for small children.

AVs use a folder to open items in and observe their attempted behaviour. As this is a restricted environment it is comparatively safe.

[Aardpsymon]

however there have been examples of code that can break out of sandboxes, notably an exploit in java that would give a website arbitrary code access to the entire PC. I can't recall the specifics any more, my memory sucks.

[oofki]

FYI If you only hex something like a virus it will still be picked up by a virus scanner and picked up as the same virus. I have tried this. The only time it would bypass a malware or virus check is if the engine you are running only scans for files with certian crc's or md5's. I do not think there are any engines that rely on checksums like this today- at least I hope not haha.

Edit: Oh even packing an executable usually does not help because scanners have the ability to unpack most common types of packers. However, there are a few that cannot be unpacked - usually ones that are "private" and developed by "underground" groups. However if it is already in memory it is virtually unpacked then executed so a memory scanner would catch them.

[nihil]

Yes, in the old days viruses were written by people who generally had some idea, and were, perversely, quite jealous of their achievements.

Then skiddies started taking pre-existing code and modifying it, a process which generally involved some form of obfuscation, as they never really knew which strings were already detected.

I agree with oofki that these days, the virus is still most likely to be detected if it is merely obfuscated. Depending on how your AV decides to report things it may be called something like "XYZ generic" which indicates that minor modification/obfuscation of the original code has taken place.

As for the custom packing, I believe that some AVs will warn you of files that they cannot unpack or decompress? Just as they will also warn you of files they cannot scan because they are in use.

[oofki]

I actually tried to hex a trojan before like subseven just to see if it was caught or not. And it still was picked up as the same subseven trojan. That is because they are virus "patterns" the pattern of the actual program is the same because it is still essentially executing the same commands.

And yes Nihil I think you are right about custom packing. This happens with password protected zip files all the time. It could at least lead you to suspicion.